By Scott Sammons
The General Data Protection Regulation (GDPR) and the recently announced Data Protection Bill (DP Bill) are bigger pieces of legislation than the old Data Protection Act 1998. We already know that remedies and complaints under the Regulation are more wide ranging and entities, in effect, are now to be seen as guilty until proven innocent (reference the need to be able to ‘demonstrate compliance’ in Article 5(2)).
Both the GDPR and the DP Bill give the Data Subject the right to lodge a complaint with the Information Commissioner if the Data Subject considers that, in connection with personal data relating to him or her, there is an infringement of the GDPR (GDPR Article 57 and DP Bill Section 156).
In Article 38 (4) of the GDPR, it implies that Data Subjects can raise matters (complaints) with the Data Protection Officer but doesn’t explicitly state that Data Subjects can ‘lodge a complaint with the controller or processor’. The GDPR outlines that they can exercise their rights on the controller/processor (some of which, like the right to object to automated decision making, are often only really used if the Data Subject is unhappy about something). Therefore, as with today, you will want to encourage Data Subjects (should they have a concern) to bring it to you directly rather than go to the Information Commissioner. It is likely that the ICO will continue their stance of referring complainants back to the organisation concerned first if they have just gone straight to the ICO, but I wouldn’t rely on this if I was you. The world is changing, and in order to truly embed the transparency and accountability requirements of GDPR it is far better to have a visible complaints process for Data Subjects up front.
Also, neither the GDPR nor the DP Bill explicitly states that the Data Protection Officer should be the one to investigate and resolve GDPR related complaints. They do however, in Article 39 (1)(b) and Section 69 (1)-(3) respectively, state that the DPO should ‘monitor compliance’ with the GDPR and DP Bill. Therefore the DPO should definitely be part of the complaints process, especially for ‘high risk’ complaints, but as for investigating every single complaint, I can’t see an explicit requirement for that. Therefore if you’re the DPO for your organisation reading this or the IG/DP team member that will investigate DP complaints from data subjects then this may be of use to you.
Due to the above, however, this does mean that when investigating complaints and/or accusations of non-compliance with the GDPR (or the DP Bill), you will need to be more thorough and more specific in determining exactly where a ‘breach’ may or may not lie.
For many of you this will be old news and you are most probably already doing this, but to many people formal training in ‘complaint handling’ and investigation is something new. Hopefully you’ll find this useful, and it should follow the same sort of process and standards many organisations (especially those that are regulated) will have in place.
Firstly, many people will accuse you / your organisation of wrong doing and often provide a list of areas where they believe you have gone wrong. Some will be genuine and some will be utter nonsense. But you will need to be thorough to ensure that you can genuinely separate out what is a valid complaint and what is someone’s misunderstandings/ventings/vendettas. Always start from a position of an ‘accusation is not a fact’, regardless of the ICO position of ‘guilty until proven innocent’, any failing in your compliance controls will need evidencing and a thorough complaint investigation will determine that. Each accusation should be taken seriously but it will need to be investigated and evidenced to determine whether or not it is a valid complaint and there is a ‘case’ to be answered.
When investigating the matter at hand start at the very beginning. What started this person down this path to lodge a complaint? What were the interactions with your service? Were things done correctly? Can you evidence that a particular action (either good or bad) was actually carried out or is it a case of a staff member’s word vs the complainants? As you would with a legal case look for evidence to establish facts, the less evidence you have the more likely you are to have a weak case to defend. The more evidence you have the more you can prove one way or another what occurred and if the complaint has merit.
It is likely that during your investigation you’ll determine that x process was not followed or y system failed resulting in the errors causing the complaint. If you are able to come to the conclusion that processes, systems or any controls have indeed failed it may also be worth logging an ‘adverse incident’ on the controls that have failed.
For those that have seen any of my previous post on Information Risk, when you put things in place to prevent your risks from materialising these are referred to as “controls”. These controls can range from policies, procedures, training, technical solutions, and system design to anything really that helps you control that risk. When a control or controls fails this should be recorded as an ‘incident’ so that you can monitor the effectiveness of your controls and ensure whatever remedy you put in place to stop it re-occurring, actually helps that control (and isn’t just a default response of punish or train the staff member).
But I digress; let us go back to the complaint. Once your investigation is complete and for each aspect of the complaint you can conclude what has and what has not occurred you can start to draft a response and determine what parts of the complaint are ‘upheld’, ‘not upheld’ or ‘partially upheld’. If you imagine the ‘shopping list’ of accusations I referenced above, for each item on that list you should have a position of upheld, not upheld or partially upheld. If at any point:
Upheld is where you agree with the complainant and there is a case to be answered for. It is then up to you how you want to proceed with that complaint based on what standards and approach your organisation takes to resolving complaints. Where a complaint does look like it is to be upheld (and indeed with any ‘high risk’ complaints) you will also need to agree the outcome and actions with the Data Protection Officer.
Partially upheld are, as it says on the tin, areas where there is some merit to their complaint but it didn’t occur as they outline and/or the impacts they describe are heavily inflated / incorrect. This may still be a ‘high risk’ area even though it may only be partially upheld, therefore you may still need to ensure you have DPO sign off before issuing the response.
Not upheld are simply where you cannot evidence that what the complainant says occurs actually occurred or you have evidence to the contrary therefore their complaint is unfounded and can be, for want of a better word, rejected.
When responding back to the complainant you will need to run through each aspect of their complaint and outline your findings and why you have upheld or not upheld that aspect of their complaint. There could, for large complaints, be a mixture of upheld, partially upheld, and not upheld for the various different areas they are claiming you have not complied with the law.
If you can record all of the above, with the supporting evidence, should the complainant indeed then take their complaint to the ICO the majority of your investigative work should be complete. It can then be quickly investigated or even ‘reviewed’ by another party if that’s what your organisation prefers. In any event, if you’re the DPO or the person supporting the DPO in their tasks, this should make it easier to log, track, resolve and learn from complaints if and when you get them. Of course the ideal would be to not get any complaints, but in this world however that is never going to happen.
Life is far too imperfect, but a ‘close to perfect’ complaints and incidents process should help you manage your GDPR compliance and give you useful insight into what is going right and wrong in your organisation.
Scott Sammons FIIM, CIPP/E, AMIRMS is Chair of the Information and Records Management Society (IRMS) and sits on the Exam Board for our GDPR Practitioner Certificate courses (3 out of the next 5 are fully booked).
We have added a new course on the Data Protection Bill to our programme.